An SSL certificate has to be signed by a certificate authority. A certificate authority (CA) is a trusted entity that issues Secure Sockets Layer (SSL) certificates. A certificate authority is not a person or not an organization. It’s actually a system that holds a few encrypted files. Using this set of encrypted files the system generates and signs the SSL certificate. This certificate then has to be placed on the server SSL configuration. So any computer system having similar files could be termed a CA.
Certificate Authority(CA) Files:
- RSA private key file for Certificate Authority(CA) (
- Certificate file for Certificate Authority(CA) (
So a self-signed SSL certificate is a certificate that is signed by the same system that generates it using the set of CA files.
Usually, the SSL certificates that we get from the hosting service provider are signed by a renowned Certificate Authority. And they cost some money as a subscription in most cases. It is not really possible to get that SSL certificate to work for our local domains. Also, these certificates are issued for a specific domain and all its subdomains that are available online. So using it in the local domain is not possible.
Brief about SSL/TLS. How it helps protect your site and gains users’ trust.
SSL/TLS is an encryption technology used to protect data on the internet by encrypting them cryptographically. You can easily identify whether a website you are accessing on the internet is using SSL or not just by looking at the URI of the website. If you try to edit the URI present on the web browser address bar then you will see http:// or https:// at the very beginning of the URI. If the URI starts with https:// then it uses SSL/TLS encryption. And hence private data that you fill in any of the forms on that website is secure. It can not be compromised by any 3rd person spying for users’ confidential information like credit card details etc.
We will learn how to do the following in this article.
- how to create/issue a self-signed SSL certificate
- why my self-signed certificate shows as not trusted one
- how to trust a self-signed certificate in your system/browser
- how to add a self-signed certificate in the Google Chrome browser
Let’s understand the process of making a trusted SSL certificate for localhost.
Now that we understand what SSL/TLS is and how it helps protect our confidential data on the internet, let’s now understand as a developer why we might need SSL/TLS in our local development environment.
- Accessing certain APIs require SSL like most payment gateways in sandbox mode as well.
- Integrating Service Worker on the website
The following steps involved in creating a trusted SSL certificate for the local development environment
- Generate files to become a Certificate Authority (CA)
- Create a 2048-bit RSA PRIVATE KEY with the des3 algorithm
- Make a CERTIFICATE REQUEST
- Trust the certificate in your system
- Create an SSL Certificate Signing Request (CSR)
- Self-signing the SSL Certificate
Before starting make a directory that will be our working directory. All sorts of files will be generated here. Get inside the directory and start a terminal application with administrative privileges. We will be using the OpenSSL and CertUtil tools for this tutorial. These tools come pre-installed in most of the OS. Please refer to https://www.openssl.org/ for download and installation. To check whether OpenSSL is installed or not in your OS type “
openssl version” from the terminal/command prompt application.
Create a 2048-bit RSA PRIVATE KEY with the 3DES algorithm for Certificate Authority (CA)
Using the below command we will generate a private RSA key file with the specified cryptographic algorithm and with the specified key length. In the cryptography world, the 3DES (Triple DES or TDES) is called Triple Data Encryption Algorithm. You can give any name to your key file but the extension should match.
openssl genrsa -des3 -out localDockerCA.key 2048
You will be prompted to provide a password here for the key file. Enter your secure password and remember it. We will be using it later.
Certificate Request for Certificate Authority (CA)
This is how a self-signed SSL certificate is created. Instead of signing the SSL certificate from a globally renowned certificate authority we as developers became the authority and self-sign the certificate using our own CA(certificate authority). So let’s generate our CA certificate.
openssl req -x509 -new -nodes -key localDockerCA.key -sha256 -days 1460 -out localDockerCA.pem
Here you will be asked several questions about the CA.
- Country Name (2-letter code) [AU]:
- State or Province Name (full name) [Some-State]:
- Locality Name (eg, city) :
- Organization Name (eg, company) [Internet Widgits Pty Ltd]:
- Organizational Unit Name (eg, section) :
- Common Name (e.g. server FQDN or YOUR name) :
- Email Address :
Trust the certificate authority (CA) in your system
This is the main thing that we need to do to actually make our self-signed certificate a trusted one. By default, a self-signed certificate is not trusted by any operating system. We have to make our OS understand that we trust the certificate and so you do. This is how we became a certificate authority.
certutil -addstore -f "ROOT" localDockerCA.pem
Create an SSL Certificate Signing Request (CSR)
Create one OpenSSL CSR configuration file named (
server.csr.cnf) in the working directory. Contents for this file should be something like the below.
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
O=Local Docker Dev
Let’s try to understand the OpenSSL CSR configuration file.
- C = Country code in 2 letters
- ST = State/Province/Region code in 2 letters
- L = Locality
- O = Organization
- OU = Organizational Unit
- CN = Common Name
After creating the configuration file we will run the following command from the terminal. This will generate a
server.key file which we will use in the server SSL configuration.
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config server.csr.cnf
Self-signing the Server SSL Certificate
Let’s do the most awaited job now. Sign the SSL certificate by yourself. Before that, we have to create one
.ext file like the below one. We name the file
v3.ext and save the below-given content init.
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
DNS.1 = *.local.docker
DNS.2 = localhost
We have two DNS configurations in this file. One is for
localhost and the other one is for the
local.docker domain and all of its subdomains. (*.local.docker means the main domain and all of its subdomains).
Now we can trigger the following command to self-sign the SSL certificate by the CA we just created and trusted above.
openssl x509 -req -in server.csr -CA localDockerCA.pem -CAkey localDockerCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext
Using the self-signed certificate generated
At this stage, we have 2 important files generated in our working directory named
server.key. We need to keep these files in the server system and add these files to the virtual host configuration as given below. I am doing all my development inside docker containers so I placed the two files in my docker container and linked the paths as given below.
You can keep your files at any secure location so that they won’t get lost and link the absolute path to the SSL/443 part of the virtual host configuration.
Create once and use it for as many local websites as you want. Just add the new virtual domain to the list of the DNS and sign the certificate again or use subdomains.
Let me know your experience in the comment below.